[Openswan Users] Destination Private Network unreachable but Tunnel is UP

Curu Wong prinbra at gmail.com
Sun Jul 31 03:46:10 EDT 2011 

add:
leftsourceip=172.19.253.1

if this still not OK, remove:

leftnexthop=xxx

and try

2011/7/31 Imtiaz Rahi <imtiaz.rahi at gmail.com>

> Guys I still need your help. Please help and respond.
>
> Tunnel is definitely up and the otherside (router) can ping us but we
> can't.
> My iptables is empty, only 1 nat rule (MASQ) for private IP.  other
> side does not have firewall rules blocking us.
> I checked mtr ( mtr --address 172.19.253.1 10.1.4.8 ) and it just
> tries to go through the default route of the server.
> How can I check / ensure that the IPsec tunnel added specific routes ???
>
> Just today learned that IPsec (netkey) add things in "ip xfrm". But I
> have no knowledge about XFRM farmework and no other doc found except
> for the "man".
>
> Here are the XFRM outputs:
>
> sudo ip xfrm state
> src 203.112.xxx.xx dst 210.4.xx.xxx
>       proto esp spi 0x6e7ff7ae reqid 16385 mode tunnel
>       replay-window 32
>       auth hmac(md5) 0x6ec07b7259a38c05ae759cb5d1de996a
>       enc cbc(des3_ede) 0x3fe779cd9ddb27eabe7d84a12f9f2af8918cc6e94f27fcac
>       sel src 0.0.0.0/0 dst 0.0.0.0/0
> src 210.4.xx.xxx dst 203.112.xxx.xx
>       proto esp spi 0x1c50e944 reqid 16385 mode tunnel
>       replay-window 32
>       auth hmac(md5) 0x866f8931c93ad884eba2bea0471b5222
>       enc cbc(des3_ede) 0x8e2ecaece87a81612e2a7efb7e64949f739d35810165b827
>       sel src 0.0.0.0/0 dst 0.0.0.0/0
>
> sudo ip xfrm policy
> src 172.19.253.0/29 dst 10.1.4.0/24
>       dir out priority 2184
>       tmpl src 210.4.xx.xxx dst 203.112.xxx.xx
>               proto esp reqid 16385 mode tunnel
> src 10.1.4.0/24 dst 172.19.253.0/29
>       dir fwd priority 2184
>       tmpl src 203.112.xxx.xx dst 210.4.xx.xxx
>               proto esp reqid 16385 mode tunnel
> src 10.1.4.0/24 dst 172.19.253.0/29
>       dir in priority 2184
>       tmpl src 203.112.xxx.xx dst 210.4.xx.xxx
>               proto esp reqid 16385 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
>       dir 4 priority 0
> .......................... (lots)
>
>
> cheers // Imtiaz Rahi
>
>
> On Wed, Jul 27, 2011 at 3:19 PM, Willie Gillespie
> <wgillespie+openswan at es2eng.com> wrote:
> > If the tunnel is up, it could be a firewall issue.
> > Can you test with iptables off?  And try pinging from both sides?
> >
> > On 7/27/2011 2:50 AM, Imtiaz Rahi wrote:
> >> Anyone please respond and help me.
> >>
> >> cheers // Imtiaz Rahi
> >>
> >>
> >> On Mon, Jul 25, 2011 at 7:19 PM, Imtiaz Rahi<imtiaz.rahi at gmail.com>
>  wrote:
> >>> Hi People,
> >>>
> >>> I am a first timer with IPsec VPN and Openswan.
> >>> I am setting up an IPsec VPN from a Linux box to Cisco router.
> >>> Linux: Ubuntu 10.04 LTS Openswan U2.6.23/K2.6.32-30-server (netkey)
> >>> Cisco: Cisco 2821
> >>>
> >>> Here is the IPsec network diagram
> >>> 172.19.253.0/29 === 210.4.xx.xxx --- 210.4.xx.xxx ... 203.112.xxx.xx
> >>> --- 203.112.xxx.xx === 10.1.4.0/24;
> >>>                                        Linux VPN box
> >>>                                                Cisco router
> >>>
> >>>
> >>> "ipsec status" says my tunnel is up and some eroutes exist. But I can
> >>> not reach the destination network.
> >>> I am trying to ping 10.1.4.8 like below and unsuccessful;
> >>>
> >>> ping 10.1.4.8 -I 172.19.253.1
> >>> PING 10.1.4.8 (10.1.4.8) from 172.19.253.1 : 56(84) bytes of data.
> >>>
> >>> ^C
> >>> --- 10.1.4.8 ping statistics ---
> >>> 14 packets transmitted, 0 received, 100% packet loss, time 13007ms
> >>>
> >>> Please help me here.
> >>>
> >>> Cheers // Imtiaz Rahi
> >>>
> >>>
> >>> P.S. Here is the ipsec.conf for reference
> >>>
> >>> ==================================================
> >>> version 2.0
> >>>
> >>> config setup
> >>>         nat_traversal=yes
> >>>         virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> >>>         oe=off
> >>>         protostack=netkey
> >>>         interfaces=%defaultroute
> >>>
> >>> conn teletalk-vpn
> >>>         type=tunnel
> >>>         authby=secret
> >>>         left=210.4.xx.xxx
> >>>         leftnexthop=210.4.xx.xxx
> >>>         leftsubnet=172.19.253.1/29
> >>>         leftupdown=/usr/lib/ipsec/_updown
> >>>         right=203.112.xxx.xx    # Cisco 2821
> >>>         rightnexthop=203.112.xxx.xx
> >>>         rightsubnet=10.1.4.0/24
> >>>         keyexchange=ike
> >>>         keylife=1h
> >>>         ike=3des-md5-modp1024
> >>>         phase2alg=3des-md5
> >>>         pfs=no
> >>>         auto=start
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110731/fce00817/attachment-0001.html

More information about the Users mailing list